Gateway host configuration

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I would like to give  a limited set of users ssh access to specific
internal hosts, from arbitrary external systems, via a gateway host.
A setup I came up with is:

* On GW host, have one (or more) gw accounts with a password.
* For every ssh user, in GW account on GW host:
** create a passphrase-protected key
** On each host they need to connect to:
*** copy key to their authorized_keys file

Each user should only be able to ssh into  the GW host , then ssh to
one of their allowed hosts by specifying their keyfile.

- Can I forbid password authentication from the GW host to the
internal hosts, but still allow it between two internal hosts? It
doesn't seem that PasswordAuthentication can appear in a Match
- Can I  forbid port forwarding to/from the GW, or at least require
use of a key rather than the password?
- Is this whole approach pointless, and should I be doing something
completely different?  The need is for a reasonably simple procedure
with as little as possible required on the remote end; it's acceptable
to need setup and preparation on the GW and/or internal systems.

Thanks for any suggestions.

Re: Gateway host configuration

I am assuming OpenSSH in the following.

Quoted text here. Click to load it

It can but it was only added in version 4.6.  Which version are you

Quoted text here. Click to load it

Set "AllowTcpForwarding no" in the gateway's sshd_config.

Quoted text here. Click to load it

If your gateway host supports it you could also use user-based packet
filter rules to restrict where you users can connect to, for example
"user <foo>" rules in PF or --uid-owner rules in iptables.

This would control all outgoing (and incoming) connections not just
those made by ssh.

Quoted text here. Click to load it

You're welcome.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline